Windseeker app spies on chats using injection, hooking techniques

Windseeker targets Chinese users, but its malicious techniques could become more widespread in the mobile arena.

A security firm discovered a malicious Android app, called “Windseeker,” that takes advantage of injection and hooking techniques not commonly seen in the mobile arena to spy on users.

Windseeker, which runs on rooted Android devices, allows attackers to monitor popular instant messaging apps in China, WeChat and QQ. But Avi Bashan, CISO at Lacoon Mobile Security, who blogged about the threat on Tuesday, noted that it was “important to understand that this type of threat could be implemented anywhere.”

Lacoon spotted Windseeker in third-party app marketplaces, but an attacker needs physical access to the device to install and register the app. In a Thursday interview with SCMagazine.com, Bashan explained the app’s injection and hooking tactics – a focal point of the threat.

“The technique has two stages,” Bashan said. “The first is the injection, which happens on the native level. The attacker app deploys a native file that uses ptrace, which helps them inject another file into the [targeted] instant messaging app.”

In the next stage, the injected native file loads a java file that allows API hooking, he explained.

“Hooking over an API code means that every time the app calls to the API, instead of going directly to the system, [data] is intercepted by [the attacker]. When it’s on the device itself, it’s called ‘hooking;’ when it’s over the network, it’s called a man-in-the-middle attack. PC malware has done this for years.”

In his blog post, Bashan further highlighted that the hooking technique was not a common attack method in the mobile arena.

“Up until now, commercial mobile surveillance apps usually obtained an app’s data through the file system or through a memory dump,” he wrote. “This hooking technique marks a new step in the evolution of malicious activity in mobile, which resembles the way PC-based malware has also evolved over the years. It’s only a matter of time until we see these adopted techniques become widespread and move into general mass-targeting mobile malware,” Bashan said.